Data Defenders: How State Attorneys General Protect Privacy in the US

A few generations from now, young people reading the history of the Big Tech era will question why the US failed to fight for digital liberty—the ability to experience autonomy and agency in online spaces. They’ll learn about “dark patterns” relied on by behemoth corporations to trick us into waiving our rights. They’ll uncover our willingness to exchange personal data for access to “free” social media platforms. They’ll express surprise when they realize how long we failed to stop data brokers from compiling and selling sensitive information to the highest bidder, including the federal government. Hopefully, they will also learn about the efforts by state attorneys general (AGs) to shield Americans from these and other infringements on their digital liberties.

State AGs have long served as the nation’s data defenders. Consumers are counting on them to keep it up. President Donald Trump has signaled a preference for innovation over regulation, which may not always align with consumer protection. Congress seems unlikely to pass meaningful privacy legislation in the next few years. The opposite problem may be true among state legislatures. Single parties dominate dozens of state legislatures. In fact, in 26 states, a single party has a supermajority in both legislative chambers. The ability of one party to steamroll the other may produce extreme legislation. Partisanship has become a problem in courthouses, too. Allegations of partisan bias seeping into judicial chambers at the state and federal levels have become commonplace.

People seeking to defend their digital liberty may be unable to do so. Even the most consumer-friendly state privacy laws commonly lack private rights of action. It’s also possible that such consumers will find they’ve consented to fight on an uneven legal playing field via arbitration agreements.

Readers may think this lay of the land leaves Americans defenseless. Thankfully, that’s not the case.

How AGs Defend Your Data and Advance Digital Liberty

A review of relatively recent efforts by state AGs shows that many of them have taken their role as the people’s lawyer quite seriously. Individual AGs—red and blue—as well as coalitions of AGs—again, red and blue—have established a track record for advancing digital liberty. This isn’t to say that AGs are flawless. Each office has its own strengths and weaknesses. AGs bear the blame for many of their shortcomings–decisions to prioritize politically salient enforcement actions over those that would better serve the people's interests rest solely on the shoulders of the officeholder, for instance. Their faults, though, are occasionally attributable to others, including consumers in their capacity as voters.

Many AG offices lack the staff and resources to fully enforce the law. By way of example, at a time of consolidation of corporate power in key industries, AGs may find they have too few antitrust attorneys to curtail efforts by corporate behemoths to accumulate greater market share and, by extension, political and corporate power. Like many other parts of state and federal government, they may also realize a dearth of technical talent–a key aspect of any office seeking to understand how aging laws apply to novel technologies. The people, of course, are in a position to make a fully-staffed AG’s office a priority for state legislators, but that requires voters to understand what’s at stake.

Increased awareness of the positive role state AGs can play in securing digital liberty may give the people an avenue to act on their frustrations. According to a 2023 Pew survey, north of 80 percent of Americans “are concerned with how companies use the data they collect about them.” Nearly 70 percent of Americans “have little to no understanding about what companies do with the data they collect about them.” The combination of concern and an absence of knowledge has led some people to succumb to privacy nihilism. Someone who has bought into this perspective may think: the cat is out of the bag, right? If someone wants to know your social security number badly enough, they’ll find it. That’s the world these days. Deal with it.

Nihilism is unwarranted. State AGs already have many of the legal tools necessary to advance digital liberty. What’s required is a little more public support and assistance. There are two essential things to know about state AGs that can reduce the temptation to succumb to privacy nihilism. First, they are already taking manifold actions to serve as data defenders. Second, they could do even more if the public lent them a hand. In other words, state AGs at once show that there is an effective arm of government that can push back against tech, and they show that members of the public have agency in just how vigorously they would like to defend their privacy interests.

Ongoing Efforts to Advance Digital Liberty

First, it’s worth highlighting the roles AGs can play when directed to champion digital liberty to explain why they warrant the public’s political support and additional funding. AG action tends to fall into several key buckets. There’s enforcement—applying existing laws to novel facts to provide people with the freedom and autonomy they deserve. There’s advocacy—leveraging the authority and expertise of the office to nudge state legislatures, federal regulators, Congress, and the courts to take responsive action to ensure consumer well-being. Then, there’s awareness raising–spreading the word to consumers and civil society organizations about emerging and enduring threats. A few examples of each sort of action should assuage people who find themselves on the verge of–if not already mired in–privacy nihilism.

1. Enforcement

AGs as enforcers have notched important wins against large and small actors alike. In an age of political discord, it’s worth emphasizing that many such wins have come via bipartisan coalitions. Former Washington State Attorney General (and now Governor) Bob Ferguson led a group of 30 AGs investigating a data breach involving Premera Blue Cross that resulted in millions of individuals disclosing sensitive information. Leveraging state and federal privacy laws, the group secured a consent decree that imposed stricter data security controls on Premera. The company also agreed to pay $10 million to the collective states. Washington received most of those funds and planned to invest them in future enforcement of the state’s data security and privacy laws. Similarly, Kwame Raoul, former Attorney General of Illinois, reached a $5 million settlement with Community Health Systems after a data breach that included sensitive information of more than 6 million individuals across the US. That recovery was a fraction of a larger settlement negotiated by 28 states.

Individual AGs have also scored important enforcement victories. Karl Racine, the former Attorney General for the District of Columbia, went to bat for his constituents against Big Tech and reached a $9.5 million settlement with Google. AG Racine alleged that Google “deceived and manipulated consumers to gain access to their location data, including making it nearly impossible for users to stop their location from being tracked.” Former California AG Xavier Becerra of California likewise took a bold step to protect consumers and reached a settlement with Glow, Inc. This settlement stands out for two reasons. First, it involved an area in which consumers are in a particularly vulnerable position—reproductive rights. Second, it was a preemptive settlement—AG Becerra alleged that Glow's femtech app risked exposing its users' information. In short, no such breach had occurred, but AG Becerra feared that the app’s inadequate safeguards meant such a breach was far from impossible.

The upshot is that AGs have a strong track record of making consumers whole in response to illegal actions by tech companies and proactively looking out for the best interests of consumers when they are particularly reliant on tech for critical services. Bipartisanship in many of these enforcement efforts provides another cause for optimism. More attention to these collaborative and sophisticated successes might quell the general tendency to think privacy is a vestige of the past.

2. Advocacy

State AGs only have so much authority and so many resources to stem the spread of harms brought on by new technologies. They lean on their role as advocates to inspire other actors to fill gaps in consumer protection that may lie beyond the office’s mandate, capacity, or both. When AGs realize they lack a clear law to prevent a socially harmful practice, they can turn to their state legislatures to add a new arrow to their quiver. That’s precisely what Ellen Rosenblum, former AG of Oregon, did when she advised the state legislature to create a data broker registry. Her legislative counterparts did just that. In turn, the people of Oregon benefited from a new means for the AG to look out for their best interests.

AGs can also turn to their federal counterparts to supplement state enforcement efforts. Dozens of AGs took that route when they informed the Federal Trade Commission (FTC) how best to apply federal antitrust law to major online platforms, including Facebook and Amazon. Another set of AGs did the same by calling on the Federal Communications Commission (FCC) to update its approach to identifying and blocking robocallers.

Of course, as lawyers, AGs have a penchant for penning amicus briefs. These briefs give AGs yet another chance to advocate for interpretations of the law that align with the public interest. As with the aforementioned efforts, AGs commonly work together and across party lines to share their expertise with the courts.

3. Awareness

An underappreciated means for AGs to defend data privacy interests implicated comes via raising public awareness. Consumer alerts are the most obvious way for AGs to increase public awareness of a troubling trend, a tactic for consumers to protect themselves, or some other useful information. A full list of such alerts would span several pages. One alert worth mentioning, given current technological trends, came from the office of the New Jersey Attorney General. Issued by former AG Josh Stein, the alert laid out in specific detail how scammers may exploit new AI tools to deceive the public. The alert also provided clear advice to reduce the odds of being tricked by bad actors, such as regarding “out-of-the-blue” calls that purport to be from loved ones or famous people.

Others have followed suit. Iowa AG Brenna Bird also spread the word about AI scams, specifically the possibility of people posing as grandkids to lure grandparents into their nefarious schemes. AGs have covered other consumer protection concerns, too. AG Raoul informed voters about strategies to avoid AI misinformation around the 2024 election. AG Bonta reminded Californians about their rights when engaging with AI systems.

AG offices also raise awareness through their investigatory powers. They can expose information about opaque industries and companies by launching investigations and turning any subsequent information over to the public. Connecticut AG William Tong, for instance, brought light to 23andMe’s self-reported data breach to elicit more information about the extent to which Connecticut residents may have been affected. AG Bonta put companies on notice of an impending “investigative sweep” under the California Consumer Privacy Act. Finally, AG Ferguson proactively surveyed Washingtonians to get a sense of their degree of support for stronger personal health data protections. These disparate actions uncovered information that could inform and improve future consumer protection actions.

Each of these forms of AG action should counter calls for privacy nihilism. AGs are keenly aware of the risks posed to digital liberty. For years, they have allocated scarce resources and political capital to enforce laws, advocate for more consumer protections, and raise awareness of emerging threats to digital liberty. That’s not nothing. In fact, it’s a healthy reminder that even when other governmental actors fail to defend consumers, AGs have and will step up.

Means to Increase the Capacity of AGs as Data Defenders

State AGs need more assistance from the public to fulfill their potential as data defenders. AG staff cannot spend their days reviewing every new AI tool and probing how it may run afoul of various consumer protection laws. The tech's early adopters—members of the public—have to share their insights and concerns with AG offices to help them keep pace with rapid AI improvements and unpredictable uses of AI. The valuable role engaged people can play in assisting AGs is another reason not to embrace nihilism.

Low popular awareness of the work of AGs ultimately hinders the ability of AG offices around the country to fully execute their responsibilities. While no AG may want to admit that their duties are little understood, efforts by civil society organizations to inform average Americans about AGs signal that there’s more to do to educate the public if AGs are going to form closer ties with the people they aim to serve. The American Constitutional Society recently published a blog post prompting readers to “Get to Know Your State Attorney General; Their Work Matters More than You Know.” A video with a similar message ran on the Federalist Society’s blog. These messaging campaigns do not appear to have had much success. Surveys suggest that very few people know any of their statewide elected officials, including their governor, nor what powers and authorities are available to the state government.

The weak ties between people and their AGs complicate the ability of AGs to understand which goods, services, and practices threaten their constituents’ well-being. Though all AGs offer constituents a means to submit complaints, very few likely think of using that outlet when dealing with a bad actor. If AGs are going to keep pace with advances in AI and other emerging technologies, they need to explore ways to empower people to relay their concerns more easily and frequently. Creating a more streamlined means of communication would also stifle the spread of privacy nihilism. People want to know that individuals and entities that oppress consumers will be held accountable--a reliable means to report such behavior can provide that assurance.

Stronger ties between the public and AGs may also have longer-term ramifications. If the public sees that their AG takes their complaints seriously and takes responsive action, they may push their legislators to ensure that the AG’s office has the resources and expertise required to fight the good fight.

Conclusion

State AGs have emerged as pivotal defenders of digital liberty, wielding their authority to challenge corporate overreach, advocate for stronger consumer protections, and raise public awareness about data privacy threats. Their track record—from securing multimillion-dollar settlements to preemptively addressing vulnerabilities—proves that AGs are not just reactive enforcers but proactive champions of consumer interests. However, their ability to act effectively is not without limits. They face constraints in staffing, resources, and public engagement that hinder their capacity to address the rapidly evolving challenges posed by new technologies like AI.

The public’s role in bolstering AG efforts cannot be overstated. For AG offices to fulfill their potential as data defenders, they require the trust, participation, and advocacy of the individuals they aim to protect. Citizens must recognize their agency in this relationship. By leveraging tools such as complaint submissions, participating in public forums, and advocating for increased AG office funding and technical resources, consumers can directly impact the effectiveness of AG offices. Enhanced public support would enable AGs to expand their enforcement capabilities, broaden their advocacy efforts, and deepen their understanding of emerging threats to digital liberty.

Moreover, increasing public awareness of AG actions and their significance can combat the privacy nihilism that has taken root among many Americans. The defeatist mindset that privacy is a relic of the past ignores the tangible victories AGs have achieved and the potential for even greater accomplishments with sufficient public backing. By fostering a culture of accountability and optimism, AGs can inspire a renewed sense of urgency and engagement among people.

As stewards of consumer protection, AGs also offer a critical reminder: the defense of digital liberty is a collective endeavor. It requires collaboration across political lines, among state and federal entities, and between government actors and the public. The bipartisan nature of many AG-led initiatives underscores the possibility of transcending partisanship to prioritize the well-being of the people.

Looking ahead, the path to a more secure digital future lies in strengthening the bond between state AGs and the public. This relationship is symbiotic—AGs rely on public input to identify and address threats, while the public depends on AGs to safeguard their rights in an increasingly complex technological landscape. As young people of the future study this era, let them see not just the challenges but also the decisive actions taken by state AGs, empowered by an engaged and vigilant populace, to protect digital liberty. Let them marvel at how we turned the tide against privacy nihilism and secured a legacy of autonomy, agency, and accountability in the digital age.